Update: According to The Mac Observer, Apple has acted proactively to block the Java browser plug-in on Mac machines with OS X 10.6 Snow Leopard or higher. If you are running an earlier version of OS X, then you should disable Java as noted below.
Update 2: In a remarkably speedy turnaround, Oracle has released a patched Java VM (release 11, listed as b21 internally) that closes this particular hole. Users who need Java installed are urged to update ASAP. You may have to update manually; Mike Rose reports that the auto-update feature on his machine ended up crashing the Java control panel.
Here's the bad news: there is no "fix" for the bug yet. Here's the worse news: it is believed that malicious sites on the web are already aware of this security hole, and are trying to exploit it.
Is your Mac at risk? Maybe. It is possible that your Mac does not even have Java installed. Apple stopped including Java by default with Lion. However, if you have run into any websites or software that needs Java, it may have prompted you to install it.
So what should you do? Well, here are some options:
- Stop using the Internet and go live in a yurt.
- Disable Java
- Uninstall Java
- Ignore it and hope that everything will be OK.
Hopefully you guessed that options 1 & 4 are the "Not Good" options, so that leaves us with two choices: Disable or Uninstall?
Here's my suggestion: if you are on Mac OS X 10.7 or 10.8 (Lion or Mountain Lion) have Java installed and you're not just one of those people who goes around installing things willy-nilly, my guess is that you have (or had) some software program that relies on Java. If you uninstall it, something might break and you might not be able to figure out why.
However, if you disable Java in whichever browser(s) you use regularly, you can continue to use your web browser without worrying about this exploit. If you find a website that uses Java, you can turn it on, do what you need to do, and then turn it off again.
Safari Users: you can easily disable Java by going to Safari's Preferences, then choose the Security tab, and uncheck the appropriate box:
Google Chrome users need to go to chrome://plugins
Firefox users: Go to the "Tools" menu, then "Add-ons" (or ⌘ + Shift + A) and choose the "Plugins" tab. Then click the 'disable' button next to Java Applet Plug-in.
"But I need Java for these sites I use every day!"
OK, so that's the reasonable response that I think will work for most people, but if you happen to be one of the people who needs to use Java every day for a specific set of websites all is not lost.
In fact, there's a very easy solution called Fluid.app. This one might seem a little nerdy, but once you set it up, it's quite easy.
We've mentioned Fluid.app on TUAW in the past and it's one of my favorite tools. With Fluid.app you can make a "standalone" web browser with its own set of preferences, including Java. You can find these settings in your Fluid.app browser under 'Settings':
But wait! he said in his best made-for-TV voice There's more!
Fluid.app will also let you say exactly which websites (domains, URLs, etc) that you want to use with that browser. Go to the "Whitelist" preferences and enter the domains, like this:
Now that the rule that I have will allow me to visit any URL that includes www.google.com. You can add more sites using the + at the bottom of the window.
Add all of your known and trusted sites which use Java. If you come across a link to a different site, it will automatically send you over to your regular browser (where you have disabled Java). Using this system you can have the security of having Java disabled, but still have the convenience of being able to use it on sites that you trust.